Compliance Improvements and Internal Controls
Now that we’ve all had a few weeks to sit with the latest Justice Department guidance about effective corporate compliance programs, let’s consider the next logical question. What must compliance officers be able to do, to deliver what this guidance wants to see?
That’s been on my mind for two weeks, because these updates emphasize not just compliance program assessment, but also compliance program evolution. Or, as the guidance itself says, prosecutors will want to know “why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
That’s new text that we haven’t seen in prior Justice Department guidance. And while some might believe those lines aren’t significant — haven’t the U.S. Sentencing Guidelines required periodic assessment of compliance program effectiveness for years, after all? — I’m not sure that’s a wise interpretation.
For example, the Sentencing Guidelines specifically say this about reviewing your program:
The organization shall take reasonable steps… to evaluate periodically the effectiveness of the organization’s compliance and ethics program;
Now look at the Justice Department’s latest guidance again. Those words talk about how the company’s compliance program has evolved over time. Meaning the company didn’t just take reasonable steps to evaluate the compliance program; it also took the next step of amending the program to keep pace with the company’s evolving risks.
Further in the guidance under the heading “Evolving Updates,” the Justice Department was even more clear about what it wants to see. Consider this paragraph, and especially the new material, flagged in red:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments or subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
You see my point. The Justice Department wants compliance programs to have strong, sophisticated capability in program assessment and improvement.
So if that’s the goal for the program, what does that mean for compliance officers’ own skills? What becomes more important?
Risk Assessments vs. Internal Controls
It’s no secret that many compliance officers either are lawyers or have extensive understanding of the law. That’s a valuable skill for corporate compliance because it helps with risk analysis: you can study a law or regulation, compare its requirements to your company’s operations, and then explain what amount of liability your company incurs by continuing to operate the way it does.
That ability will never be unimportant in corporate compliance. Heck, it’s even directly relevant to the Justice Department’s new questions about “lessons learned from… other companies facing similar risks.” You don’t need a legal mind to dissect the lessons learned from other enforcement actions, but it helps hugely.
I’m more interested in the other capabilities compliance professionals will need to have — more about developing, testing, and improving internal controls.
For example, say your company sells goods in China. It’s a straightforward exercise to understand the statutes that drive anti-bribery compliance risks in that country, and to implement measures such as anti-bribery training and due diligence policies.
Well, what about assessing the effectiveness of accounting policies and procedures? What about reviewing financial systems to assure that books and records are recorded properly?
After all, if we’re talking about lessons learned from other companies, those are the lessons the enforcement community is sending us about the Foreign Corrupt Practices Act. In one case after another in recent years, the Securities and Exchange Commission has slapped civil penalties against Microsoft, Juniper Networks, Cardinal Health, Quad/Graphics, and others.
The specific weaknesses and misconduct vary, from secret spreadsheets to track bribes (Polycom), to incomplete documentation (Microsoft), to flexible accounting policies (Sanofi), and more. But if the broad message from the Justice Department is that it wants to see companies paying attention and improving their internal compliance operations — the improvements to be made are about practical, nuts-and-bolts issues around IT governance, data collection, and accounting technology.
That’s nerd. To be clear, I find issues like these fascinating, so I wear the nerd badge proudly — but they are nerd. The skills to navigate such nerdness are quite different from what compliance professionals might learn in law school.
Skill for the Future
Some people will say that regulators apply the expectations for internal control too zealously, when the FCPA only requires that internal controls deliver “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” There’s wiggle room in the statute for the effectiveness of internal controls, critics say, and you could defend your case in court.
In theory that’s true. In the real world, however, settlement is almost always the better option, because it’s the fastest path to certainty, and then management can move on to the next problem. And if the company wants to settle, it will have to give the regulators what they want: an effective compliance program.
Let’s also consider two other corporate misconduct issues looming large these days: fraud related to Covid, and cybersecurity. Boards worry about both quite a bit. They are starkly different challenges, but in both cases, a compliance program to reduce those risks will rely on internal controls that govern how data is moved around, how documentation and evidence is collected, and how quickly one can audit the program and produce assurance to show your controls work.
So how well can your compliance team assess internal control? How well can it implement changes, test them, document success or failure, and measure improvement?
I know many compliance officers who come from a legal background and also excel at these tasks — but we should have no illusion that this is a different set of skills than risk analysis, investigation, and argument for a course of action, which is what lawyers typically do best.
So I wonder what all this will mean for the evolution of compliance programs and compliance professionals in years to come. We’ll see.